Its a sad fact that a percentage of any population will be morally challenged.

Another percentage will be opportunistic. If you had a piece of software and a licence key would you install it on your home kit. How about an illicit MP3, CD or DVD? For those of you who are legitimately outraged and indignant at the aspersion you are in a worrying small minority.

Then there is the behaviour that manifests when a relationship breaks down.

Years back I did a module on employee relations and a story (hopefully an urban legend/myth) was told about a dispute at a steel works. Apparently cyanide is routinely used in some processes and because of the dangers involved flasks of a liquid to counteract the effects of cyanide poisoning were within easy reach.

In the event of cyanide poisoning speed is of the essence so the idea was that the liquid was drunk but the inevitable consequence was that the human body would expel whatever it could by whatever method it could via every pore and orrifice it could. During an acrimonious industrial dispute management learnt to fear the coffee urn, canteen food and the drinking fountain.

There has been a large decline in ethical leadership worldwide and a growing lack of loyalty towards employees and citizens. Considering this environment, it's pretty much a given that theft and breaches will happen. It doesn't help that our government discourages accountability and massively funds data theft.

The problem with encryption and other measures is that people are lazy and management doesn't want to spend money on tools and training. When a large percentage of technical professionals I met don't even understand the basics of PKI and topics of that ilk, it's evident that the industry as a whole is only pay lip service to security and is cargo-culting on a minimal as needed basis.

I'd be interested to know what the main motivation is for insider data breaches. Is it random vandalism, retaliation, greed, a sense that something the company is doing is wrong and needs to be exposed. Something else? I would also like to know how much data is secured that doesn't really need to be secured. I've met many people who seem to have a fixation on securing things that don't really need to be. Some DBAs tend to have a warrior mentality when there may not be any actual war.

IMHO (6/25/2013)I'd be interested to know what the main motivation is for insider data breaches. Is it random vandalism, retaliation, greed, a sense that something the company is doing is wrong and needs to be exposed. Something else? I would also like to know how much data is secured that doesn't really need to be secured. I've met many people who seem to have a fixation on securing things that don't really need to be. Some DBAs tend to have a warrior mentality when there may not be any actual war.

I doubt it's one thing. In the restaurant business, we'd see lots of inside issues, and it ranged from vandalism (throwing things away) to theft/greed (stealing money or alcohol), but the latter might be because someone needs money (not making enough), or they feel entitled (they're not paying me enough) to fun (my friends and I want free drinks).

By and large, employees are granted more access to data than they really need to perform their job functions. I'm surprised when people talk about a database with dozens or hundreds of users. Do individual users really need access to the database?All you need are a handful of service accounts, one for each security role. Users should access data via the application, and auditing is used to keep track of what requests users make.

Eric M Russell (6/25/2013)By and large, employees are granted more access to data than they really need to perform their job functions. I'm surprised when people talk about a database with dozens or hundreds of users. Do individual users really need access to the database?All you need are a handful of service accounts, one for each security role. Users should access data via the application, and auditing is used to keep track of what requests users make.

This is another cost of the departmental Access/Excel application.

Also a cost of the lack of ethics in business from top to bottom. I particularly see people being forced (or pressured is probably more fair) to stay longer than both necessary to perform their job and longer than agreed (by employment contract). This results in people using some of their time at their desks for their own purposes, if only training.

Eric M Russell (6/25/2013)By and large, employees are granted more access to data than they really need to perform their job functions. I'm surprised when people talk about a database with dozens or hundreds of users. Do individual users really need access to the database?All you need are a handful of service accounts, one for each security role. Users should access data via the application, and auditing is used to keep track of what requests users make.

This is another cost of the departmental Access/Excel application.

Also a cost of the lack of ethics in business from top to bottom. I particularly see people being forced (or pressured is probably more fair) to stay longer than both necessary to perform their job and longer than agreed (by employment contract). This results in people using some of their time at their desks for their own purposes, if only training.

It's late in the evening, an employee is disgruntled about being asked to work overtime, and they have an open query window with select permission on every table in the database, if not full sysadmin privillage. It's a bad scenario, and employee training won't fix it. It's management and sysadmins who need to be trained on how to avoid this.

I agree that developers need to get better at using proper techniques.

That said, companies are the real root cause of poor software. The opposition to allowing time to code, test and validate is the largest issue. I know a lot of developers that WANT TO write better code, but are not allowed to.

djackson 22568 (6/25/2013)I agree that developers need to get better at using proper techniques.

That said, companies are the real root cause of poor software. The opposition to allowing time to code, test and validate is the largest issue. I know a lot of developers that WANT TO write better code, but are not allowed to.

Developers may be a members of DBO or even SYSADMIN when they login to development database using their domain account. They need that for creating tables, procedures, etc. However, when unit testing or performing QA, they should login using a seperate account that has the same name and least privillages as the application account (should have) in production. If testing is not done under a least privillage account like this, then many organization will punt and grant full DBO or SYSADMIN rights to the application account.